Professional Documents
Culture Documents
SSL offers security for HTTP protocol Authentication of server to client Optional authentication of client to server
- Incompatibly implemented in different browsers - CA infrastructure not in widespread use
Server
Cho
, certificate
emaster secr
et
Compute keys
Compute keys
MAC of hand
shake messag
es
essages
Server
emaster secr
t verify
Compute keys
Compute keys
MAC of hand
shake messag
es
essages
Master secret
Key block
Server IV
Client IV
Session Resumption
Problem: Public key crypto expensive New TCP connection, reuse master secret.
- Avoids unnecessary public key cryptography.
Combines cached master secret with new randomness to generate new session keys. Works even when the client IP changes (servers cache on session ID, clients cache on server hostname).
Letterhead from company ($0) Notarized document (need drivers license) ($0) Conclusions:
- Easy to get a fraudulent certicate - Maybe not so easy to avoid prosecution afterwards
So many CAs...
Interrogative adversaries
Adaptively query a Web server a reasonable number of times Treat server as an oracle for an adaptive chosen message attack Dont need any eavesdropping or other network tampering Anyone can do it, but surprisingly powerful attack
- C.f., adaptive chosen-ciphertext attackssounded improbable
Cookies
A Web server can store key/value pairs on a client The browser resends cookies in subsequent requests to the server Cookies can implement login sessions
Netscape cookie example domain Path SSL? Expiration Value .wsj.com /cgi FALSE 941452067 bitdiddleMaRdw2J1h6Lfc
POST /login.c
Web server
gi
page b e W " n i e m "Welco cator i t n e h t u a : e i SetCook GET /restrict d/index.html Cookie: aue thenticator icted p r t s e r f o t n e t Con age
Guess a victims sequence number by decrementing. Access to personal information Change address, receive password by email!
wsj.com
Authenticate subscribers with stateless servers Half million paid-subscriber accounts Purchase articles, track stock portfolios
wsj.com analysis
Design: fastlogin = {user, MACk (user)} Reality: fastlogin = user + UNIX-crypt (user + server secret) Easily produce fastlogin cookies username crypt() Output bitdiddl bitdiddle fastlogin cookie MaRdw2J1h6Lfc bitdiddlMaRdw2J1h6Lfc MaRdw2J1h6Lfc bitdiddleMaRdw2J1h6Lfc
Usernames matching rst 8 characters have same authenticator No revocation or expiration. This is already bad, but it gets worse...
Google
Google indexed many cookie les inadvertently places on the Web. Search for:
- cookies.txt - avenuea.com FALSE FALSE (cookie set by advertising co.) - CERT7.DB or text:CERT7.DB (in many cookies.txt les)
A simple scheme that works auth = expire + data + MACk (expire + data) where MAC could be HMAC-SHA1, data could be a username or capability, and + denotes concatenation with a delimiter Secure against interrogative adversary